Note

web python xs-leak browser-bot timing-attack samesite

Infer cross-origin secrets from navigation timing, redirect behavior, or window state when direct reads are impossible.

XS-Leak Timing / Top-Level Navigation with a Browser Bot

The attacker cannot read cross-origin responses directly, but can still infer information from navigation timing, redirect behavior, window state, or which action the bot performs next.

Why It Works

A browser bot that visits attacker pages, keeps cookies, and can be made to navigate top-level windows leaks one bit at a time through observable side effects.

Vulnerable Pattern

Browser bots that follow links, retain cookies, and can open or navigate top-level windows.
A server response whose behavior changes with a comparable prefix or secret.

Exploit Flow

Build a one-bit oracle first — "did the bot redirect to me", or "did this complete faster when the prefix matched".
If the secret is prefix-comparable, binary-search it with multiple timed navigations or observable branches.

Variations

window.open, top-level redirects for SameSite=Lax, history.length, window.name, or native error-page detection.

Common Blockers

Noisy timers, headless-browser hardening, bot time limits, or network jitter dominating the signal.

PoC Sketch

# open /check?prefix=a, measure when the bot reaches your callback page,
# binary-search the prefix on fast vs slow navigation or redirect behavior

Good Situations To Use It

A bot visits your page with the victim's cookies.
A secret is checked prefix-by-prefix server-side.
You have a stable timing or redirect oracle.

Sources

LACTF2026/web/append-note
LACTF2026/web/extend-note